pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

add hosts

Browse source
This commit is contained in:
Hendrik Sokolowski 2022-08-22 00:53:04 +02:00
parent 66eadcf1b1
commit 8cc79885d8
62 changed files with 2203 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
flake.lock
View file

@ -336,6 +336,24 @@
"type": "github"
}
},
"nixpkgs-hensoko": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1666884246,
"narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
"ref": "refs/heads/master",
"rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
"revCount": 23,
"type": "git",
"url": "https://git.b12f.io/hensoko/nixpkgs"
},
"original": {
"type": "git",
"url": "https://git.b12f.io/hensoko/nixpkgs"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1672791794,
@ -352,6 +370,34 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1654994491,
"narHash": "sha256-HFu3HTFFFcZSKImuiki3q+MLvcc85hRgYvW+sXmH8LE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1f8d88087a3753e55a29b5207f7f0997f7c813fa",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 0,
"narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
"path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
"type": "path"
},
"original": {
"id": "nur",
"type": "indirect"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@ -363,13 +409,10 @@
"latest": "latest",
"musnix": "musnix",
"nixos": "nixos",
<<<<<<< HEAD
"nixos-hardware": "nixos-hardware"
=======
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs-hensoko": "nixpkgs-hensoko",
"nur": "nur"
>>>>>>> 5366306d (add profiles.daw)
}
},
"utils": {

100
flake.nix
View file

@ -13,7 +13,7 @@
flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false;
#digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
digga.inputs.nixpkgs.follows = "nixos";
digga.inputs.nixlib.follows = "nixos";
digga.inputs.home-manager.follows = "home";
@ -40,6 +40,8 @@
# hensoko additions
musnix.url = "github:musnix/musnix";
musnix.inputs.nixpkgs.follows = "nixos";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
};
outputs = {
@ -115,10 +117,6 @@
# Set host-specific properties here
bootstrap = {
modules = [
{ lib.our = self.lib; }
# FIXME: upstream module causes a huge number of unnecessary
# dependencies to be pulled in for all systems -- many of them are
# graphical. should only be imported as needed.
digga.nixosModules.bootstrapIso
];
};
@ -130,6 +128,31 @@
#})
];
};
companion = {
system = "aarch64-linux";
};
cox = {
system = "aarch64-linux";
};
falcone = {
system = "aarch64-linux";
};
giggles = {
system = "aarch64-linux";
};
norman = { };
harrison = {
modules = [
musnix.nixosModules.musnix
];
};
surfplace = {
modules = [ nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
};
};
importables = rec {
profiles =
@ -138,11 +161,10 @@
users = digga.lib.rakeLeaves ./users;
};
suites = with profiles; rec {
base = [users.pub-solar users.root];
iso = base ++ [base-user graphical pub-solar-iso];
pubsolaros = [full-install base-user users.root];
anonymous = [pubsolaros users.pub-solar];
pubsolaros-light = [ core-light base-user users.root ];
base = [ users.pub-solar users.root ];
iso = base ++ [ base-user graphical pub-solar-iso ];
pubsolaros = [ base-user users.root ];
anonymous = [ pubsolaros users.pub-solar ];
hensoko = pubsolaros ++ [ users.hensoko ];
hensoko-iot = [ server base-user users.root users.iot ];
@ -159,17 +181,59 @@
# vm
redpanda = hensoko;
# home pc
harrison = hensoko ++ [ daw graphical non-free social work ];
# work laptop
norman = hensoko ++ [ graphical non-free social virtualisation work ];
# cm4
falcone = hensoko-iot;
# surface
surfplace = hensoko ++ [ graphical non-free social work ];
};
};
};
home = {
imports = [ (digga.lib.importExportableModules ./users/modules) ];
modules = [ ];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [ direnv git ];
home = {
imports = [ (digga.lib.importExportableModules ./users/modules) ];
modules = [ ];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [ direnv git ];
};
};
users = {
pub-solar = { suites, ... }: { imports = suites.base; };
hensoko = { suites, ... }: { imports = suites.base; };
iot = { suites, ... }: { imports = suites.base; };
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
devshell = ./shell;
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
redpanda = {
hostname = "192.168.42.71:22";
sshUser = "hensoko";
fastConnect = true;
profilesOrder = [ "system" "direnv" ];
profiles.direnv = {
user = "hensoko";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = { sshUser = "iot"; };
cox = { };
giggles = { };
ringo = { };
cube = {
sshUser = "iot";
};
};
users = {

16
hosts/companion/companion.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

63
hosts/companion/configuration.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/companion/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./companion.nix
] ++ suites.companion;
}

61
hosts/companion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/5552-1B21";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

55
hosts/companion/home-controller.nix Normal file
View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.13";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

23
hosts/cox/backup.nix Normal file
View file

@ -0,0 +1,23 @@
{ self, config, pkgs, ... }:
{
virtualisation.oci-containers = {
backend = "docker";
containers = {
backup-ssh = {
image = "linuxserver/openssh-server:arm64v8-latest";
ports = [ "32222:2222" ];
environment = {
PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
USER_NAME = "backup";
TZ = "Europe/Berlin";
PUID = "911";
PGID = "911";
};
volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ];
};
};
};
}

65
hosts/cox/configuration.nix Normal file
View file

@ -0,0 +1,65 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./backup.nix
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

16
hosts/cox/cox.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

6
hosts/cox/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cox.nix
] ++ suites.cox;
}

61
hosts/cox/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/6CB3-6DB8";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

55
hosts/cox/home-controller.nix Normal file
View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.12";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

8
hosts/cube/acme.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

34
hosts/cube/backup.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, self, ... }:
{
age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repository = "sftp:backup:/data/hdd/restic";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

53
hosts/cube/configuration.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, lib, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
./wireguard.nix
./invoiceplane.nix
./tang.nix
#./whiteboard.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
interfaces.eno1.ipv4.addresses = [{
address = "80.244.242.2";
prefixLength = 29;
}];
defaultGateway = "80.244.242.1";
nameservers = [ "95.129.51.51" "80.244.244.244" ];
};
services.openssh.ports = [ 2222 ];
networking.nat.enable = true;
networking.nat.internalIPs = [ "10.10.42.0/24" ];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
networking.firewall.allowedUDPPorts = [ 51899 ];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

15
hosts/cube/cube.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
pub-solar.core.disk-encryption-active = false;
networking.networkmanager.enable = lib.mkForce false;
}

6
hosts/cube/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cube.nix
] ++ suites.cube;
}

21
hosts/cube/drone.nix Normal file
View file

@ -0,0 +1,21 @@
{ self, config, pkgs, ... }:
{
age.secrets.drone_exec_runner_config = {
file = "${self}/secrets/cube_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.docker-ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "1";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

38
hosts/cube/hardware-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options kvm_intel nested=1";
fileSystems."/" =
{
device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
fsType = "ext2";
};
fileSystems."/mnt/internal" =
{
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
}

19
hosts/cube/home-assistant.nix Normal file
View file

@ -0,0 +1,19 @@
{ self, pkgs, config, ... }:
{
# HTTP
services.nginx = {
virtualHosts."ha.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.0.1.254:8123";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;" +
"proxy_pass_header Authorization;"
;
};
};
};
}

53
hosts/cube/invoiceplane.nix Normal file
View file

@ -0,0 +1,53 @@
{ self, config, pkgs, ... }:
let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.11";
domain = "inv.gssws.de";
hostStateDir = "/mnt/internal/invoiceplane";
containerStateDir = "/var/lib/invoiceplane";
in
{
# nginx
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${serviceAddress}:80";
};
};
};
# invoiceplane
containers."invoiceplane" = {
privateNetwork = true;
hostAddress = "10.10.42.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = { config, pkgs, ... }: {
networking.firewall.allowedTCPPorts = [ 80 ];
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
date.timezone = Europe/Berlin
'';
services.caddy.virtualHosts."http://${domain}".listenAddresses = [ "0.0.0.0" ];
services.invoiceplane.sites."${domain}" = {
enable = true;
stateDir = containerStateDir;
database = {
user = "invoiceplane";
name = "invoiceplane";
};
};
};
};
}

98
hosts/cube/nextcloud-apps.nix Normal file
View file

@ -0,0 +1,98 @@
{ self, pkgs, config, lib, ... }:
{
services.nextcloud.extraApps = {
"bookmarks" = pkgs.fetchzip {
sha256 = "sha256-sX/2cd0lw2/fHwFUG3WUJ6E0AUzPqELHWCcdOYIbFzA=";
url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz";
};
"bruteforcesettings" = pkgs.fetchzip {
sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
};
"calendar" = pkgs.fetchzip {
sha256 = "JBFujtDVRWn6ELl7fZU80go86/WLln5oRJTupTz9//s=";
url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
};
"contacts" = pkgs.fetchzip {
sha256 = "eTc51pkg3OdHJB7X4/hD39Ce+9vKzw1nlJ7BhPOzdy0=";
url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
};
"cookbook" = pkgs.fetchzip {
sha256 = "QBmzGtjH8vciUxiku1HGnWw0P0oCySilEWciLoslDAU=";
url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
};
"cospend" = pkgs.fetchzip {
sha256 = "Vtg7CVf8KxGbFk9ghTvy86xOh9PD7o/c2//2mqqHARA=";
url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz";
};
"deck" = pkgs.fetchzip {
sha256 = "hK+uI4Qolx37FYeY7m8BXheEIWp3I4cFooMUnpuVfOk=";
url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz";
};
"files_accesscontrol" = pkgs.fetchzip {
sha256 = "D9hVQrOMPsyTBbr7B92aePzUOYpnNu5XnpqK4W86514=";
url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz";
};
"files_automatedtagging" = pkgs.fetchzip {
sha256 = "MdS63VELoM7kGzjzbEKfcH1KqX98KyGvDEvLgwvVld0=";
url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz";
};
"files_fulltextsearch" = pkgs.fetchzip {
sha256 = "+1asXhTn62fpUlIi+B9ALKdrXxaYYymfhxPTB+C5obM=";
url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz";
};
"files_markdown" = pkgs.fetchzip {
sha256 = "vv/PVDlQOm7Rjhzv8KXxkGpEnyidrV2nsl+Z2fdAFLY=";
url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz";
};
"files_mindmap" = pkgs.fetchzip {
sha256 = "gJK+XCWDc1jpHZBR0NL6UdHab9V/X/tRNmSw5tl751Q=";
url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz";
};
"fulltextsearch" = pkgs.fetchzip {
sha256 = "6uZhK4rItVqIJfEpOWxgmVXYsWMeHKxHQ8GY/g5Wj/s=";
url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz";
};
"groupfolders" = pkgs.fetchzip {
sha256 = "99DqybcYR2tTSNFyZ6QtIQmd3XyHyFy2PL1fGsq48kQ=";
url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz";
};
"impersonate" = pkgs.fetchzip {
sha256 = "XevbFa2Xyu0qAwtpvSd9CulsejrBj4AeIkV7GuWoOMw=";
url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz";
};
"keeweb" = pkgs.fetchzip {
sha256 = "Fdx3+APQaJQ/uQH/gnkiPmsOqzX5GNJWjPfTyUobtfA=";
url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz";
};
"maps" = pkgs.fetchzip {
sha256 = "2w7Mm+L9cHYq9BLpBpWhMv+V4h3OKCh68Cl6iHt65js=";
url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz";
};
"news" = pkgs.fetchzip {
sha256 = "jbuqQJWLdE0olIaXLzjUEsPON4ZzMe9RKpH50HZZQsc=";
url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
};
"notes" = pkgs.fetchzip {
sha256 = "WdteA8pDSZ7ba+kngmveHC2KgzyLSB+PomFEZ7/uCC0=";
url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
};
"quota_warning" = pkgs.fetchzip {
sha256 = "ugiz1/dhpRoL401h/u3fQykP5zBqVby3nhHfQwyIIIQ=";
url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz";
};
"richdocuments" = pkgs.fetchzip {
sha256 = "4B0johygJOiC/nbXiW5KU+7hweCin//rUGfFprYzRQU=";
url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz";
};
"tasks" = pkgs.fetchzip {
sha256 = "HMNd8U2KsSzT5xCKh/mA5GwIfYIcA6KTFVF3ca8xc2A=";
url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz";
};
"twofactor_totp" = pkgs.fetchzip {
sha256 = "F7h2VytPLwkVZxJZd1o9pWuhndh02z3i0pOUw5kzBIU=";
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz";
};
};
}

155
hosts/cube/nextcloud.nix Normal file
View file

@ -0,0 +1,155 @@
{ self, pkgs, config, lib, ... }:
{
imports = [
./nextcloud-apps.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
settings = {
max_connections = "200";
};
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# REDIS
services.redis.servers = {
"nextcloud".enable = true;
};
users.groups."redis-nextcloud".members = [ "nextcloud" ];
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = [ "127.0.0.1:9980:9980" ];
environment.domain = "data\\.gssws\\.de";
extraOptions = [ "--cap-add" "MKNOD" ];
};
services.nginx.virtualHosts."office.gssws.de" =
let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in
{
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud24;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php81;
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "128";
"pm.start_servers" = "64";
"pm.min_spare_servers" = "32";
"pm.max_spare_servers" = "76";
"pm.max_requests" = "500";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = [ "80.244.242.2" ];
defaultPhoneRegion = "DE";
};
};
}

63
hosts/cube/wireguard.nix Normal file
View file

@ -0,0 +1,63 @@
{ self, config, pkgs, ... }:
{
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.0.1.5" ];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = [ "10.0.1.254/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

57
hosts/falcone/configuration.nix Normal file
View file

@ -0,0 +1,57 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
pub-solar.core.disk-encryption-active = false;
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
extraInstallCommands = ''
cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
'';
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/falcone/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./falcone.nix
] ++ suites.falcone;
}

16
hosts/falcone/falcone.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

35
hosts/falcone/hardware-configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
#boot.initrd.supportedFilesystems = [ "zfs" ];
#boot.supportedFilesystems = [ "zfs" ];
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

65
hosts/giggles/configuration.nix Normal file
View file

@ -0,0 +1,65 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/giggles/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./giggles.nix
] ++ suites.giggles;
}

16
hosts/giggles/giggles.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

61
hosts/giggles/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/2F05-9B4A";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

53
hosts/giggles/home-controller.nix Normal file
View file

@ -0,0 +1,53 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.11";
k3s = {
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

19
hosts/harrison/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,19 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
set $right 'Eizo Nanao Corporation EV2316W 39117013'
output $left {
scale 1
pos 0 0
transform 270
}
output $middle {
scale 1
pos 1440 1150
}
output $right {
scale 1
pos 3360 1150
}

49
hosts/harrison/configuration.nix Normal file
View file

@ -0,0 +1,49 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.dhcpcd.wait = "background";
networking.useDHCP = false;
networking.interfaces.eno1 = {
useDHCP = true;
wakeOnLan = {
enable = true;
};
};
networking.networkmanager.enable = lib.mkForce false;
nixpkgs.config.allowUnsupportedSystem = true;
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/harrison/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./harrison.nix
] ++ suites.harrison;
}

70
hosts/harrison/hardware-configuration.nix Normal file
View file

@ -0,0 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
boot.loader.grub = {
efiSupport = true;
enable = lib.mkForce true;
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root 02DB-F12C
chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
'';
devices = [ "nodev" ];
};
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
fsType = "ext4";
};
"/boot" =
{
device = "/dev/disk/by-uuid/4B4A-B1B4";
fsType = "vfat";
};
"/boot2" =
{
device = "/dev/disk/by-uuid/4B2C-385A";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/mapper/vg0-swap"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

28
hosts/harrison/harrison.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
pub-solar.paranoia.enable = true;
pub-solar.nextcloud.enable = true;
programs.ausweisapp.enable = true;
services.pcscd = {
enable = true;
plugins = [ pkgs.pcsc-cyberjack ];
};
};
}

16
hosts/norman/.config/sway/config.d/custom-keybindings.conf Normal file
View file

@ -0,0 +1,16 @@
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

18
hosts/norman/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,18 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Eizo Nanao Corporation EV2316W 39117013'
set $right 'Chimei Innolux Corporation 0x14D4'
output $left {
scale 1
pos 0 0
}
output $middle {
scale 1
pos 2560 770
}
output $right {
scale 1
pos 1000 1440
}

63
hosts/norman/configuration.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.firewall = {
allowedUDPPorts = [
51820
51821
]; # Clients and peers can use the same port, see listenport
};
hardware.nitrokey.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_SCALING_GOVERNOR_ON_AC = "performance";
# The following prevents the battery from charging fully to
# preserve lifetime. Run `tlp fullcharge` to temporarily force
# full charge.
# https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
START_CHARGE_THRESH_BAT0 = 40;
STOP_CHARGE_THRESH_BAT0 = 80;
# 100 being the maximum, limit the speed of my CPU to reduce
# heat and increase battery usage:
CPU_MAX_PERF_ON_AC = 100;
CPU_MAX_PERF_ON_BAT = 30;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/norman/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./norman.nix
] ++ suites.norman;
}

46
hosts/norman/hardware-configuration.nix Normal file
View file

@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.loader.grub.trustedBoot = {
enable = true;
systemHasTPM = "YES_TPM_is_activated";
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint = {
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
};
}

22
hosts/norman/norman.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
pub-solar.audio.bluetooth.enable = false;
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
};
}

94
hosts/norman/wireguard.nix Normal file
View file

@ -0,0 +1,94 @@
{ config, pkgs, ... }:
{
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.0.13/32"
"fc00:200::13/128"
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.0.0.0/24"
"192.168.50.0/24"
"192.168.200.0/24"
"10.20.30.0/24"
"10.20.50.0/24"
"fc00:200::/120"
"95.129.51.5"
"95.129.54.43"
"134.0.28.89"
"134.0.27.108"
"134.0.25.181"
];
# Set this to the server IP and port.
endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.7.0.21"
];
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.7.0.0/24"
];
# Set this to the server IP and port.
endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

35
hosts/ringo/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/ringo/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./ringo.nix
] ++ suites.ringo;
}

43
hosts/ringo/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat";
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
hosts/ringo/home-controller.nix Normal file
View file

@ -0,0 +1,43 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "agent";
ownIp = "10.0.1.21";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
}
];
};
};
};
}

13
hosts/ringo/ringo.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config.pub-solar.core.lite = true;
}

32
hosts/surfplace/configuration.nix Normal file
View file

@ -0,0 +1,32 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
time.timeZone = "Europe/Berlin";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
#boot.loader.systemd-boot.enable = lib.mkForce false;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/surfplace/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./surfplace.nix
] ++ suites.surfplace;
}

44
hosts/surfplace/hardware-configuration.nix Normal file
View file

@ -0,0 +1,44 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.extraModulePackages = [ config.boot.kernelPackages.rtl88x2bu ];
fileSystems."/" =
{ device = "/dev/disk/by-label/root";
fsType = "ext4";
encrypted = {
enable = true;
label = "cryptroot";
blkDev = "/dev/disk/by-uuid/77829967-0c52-4a52-a65c-cfc093d18776";
};
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2697-F70A";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-label/swap"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.video.hidpi.enable = lib.mkDefault true;
systemd.services."iptsd" = {
serviceConfig = {
RestartAfter = "5s";
};
};
}

11
hosts/surfplace/surfplace.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
}

0
modules/core/bluetooth.nix Normal file
View file

BIN
secrets/cube_drone_exec_runner_config.age Normal file
View file

Binary file not shown.

20
secrets/cube_invoiceplane_db_password.age Normal file
View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw YnfnbbrYnmZj+Sp7IzNko2UN++D+5RPRKUO4s9BJYm0
250etp+3Xk98f3p464gytQzuOUZtmb0wp2weOOr3TKs
-> ssh-ed25519 YFSOsg Ugqj12V4oVALYruVs2gAvdmX7FPj8bXhw6rADRIQCTA
HL2RU0FMjuVUnNr0NjFYya19D77biMTjY0NUNXw+X5k
-> ssh-rsa 42S2Dw
C0Kwv29evJTIMvtQJt7t3qBaFC6kKd2KXLiQt9PLdotVirMilNxTBAahgPPf5+Wh
vpykEhQdnPGRITlxRLHQARVtwr0sERTi3KSdU5w2FSoAbMx7MoMpct/OvT32UTI5
atUpIbZRKiVaCNvgdMBYYuHzbndaZ1xiuUkm+TH+VPcvzGpIHew7V86T/R86O3Gy
UK0eeT7bgKCLzV9B/A0MMnzQ2+bw3ArXwwivxhWWDO9nIAyF6aOxdZr+X3rl2p/6
IYf0AoEV/miqKm7yuxDExFkrJ1fRrZ1nq+lHPneURb/1rXJFfgZ2FQ+knDtokfp6
fDBLGXXB7NSXkKAv7VLpXg
-> ssh-ed25519 iHV63A z0GdyHGN7aJwL9oYkcUY3Qw/BMJ5W5D8i+tU6W7Haw4
nSCKSMvJDvkGQfxaAnskwKEk6a7XKjbaB/Bkyq1X/c8
-> ssh-ed25519 uTVbSg 2Ho8KrV3xfNtwN+TepeS52aQZaqn8R9RpbZXTv7Tpjo
kUX//t2VYMPdGwSa3Xx/wgI2mcPvksBb85BE869K7V4
-> mk!&q*4-grease PdOI 5~Z: NZD
ItuRMmjRrLT8EiY4zEmCW3uC9x3/5Ol4mzwmFXe0wT0
--- /gVjl7gfaIAgikOCRKcz6BMaFTNFi8n2OM3DrWn1qkQ
*½W^äeYó-¿Š¹2v•"¤]òÐ0UÕñ3 çñvo@c@%<25>Ó{I('Ê9(¿À´t³Qyò¶©ó²ô>BŒò“Yžî+II˜í5¯†D

21
secrets/cube_restic_repository_password.age Normal file
View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw +rkFPrQE8peUim4x6Ky9ZOq1th5ClCoBGZnHpyUpdhg
RUg+Iy9Tr/rYLac2QZXHgEIXVeUgzThkknHKXw0zcc8
-> ssh-ed25519 YFSOsg f+9e0azb6BGCW2BAqzY0jeGX35SOg5H8esxKnslo1Bw
zTrfb7rz9rtlGL+RYF+k0bPTJrCCj3sIiRpjqkNwktY
-> ssh-rsa 42S2Dw
E0CKXcPmBbOGFjsKpzr6XD2wiK6X6bACpHxO6qdRfN1vntoRLRsrMlHhiB9nbn3V
wyVou0OtIXoEuW7X/AZDatB2zQp4gs/C6j7jX3MhtzC60qrGpqxZ+qSRwsybbMHl
23ceddRQfudIkojKolpuZj6LhmqHo7psg8HF+OMMMvq8AU2/FLULOoWy5pjtfZTf
FrhbjSHJPe8CDGhHVANd7nmhuNYLf/HoO3/VNCmF5g5FVdTl+oIbV/lG+h9XEkMV
Brmew59jOUNZQkKixA8Qs+Q9jmozVKUfdVNt5214NucExbPkgznOmtp5XyfIZUHP
fcOAonVVoSTsEP2YiPSOkg
-> ssh-ed25519 iHV63A RchzJvnl56NtfqNJ4BclwhEnxmxveeXmdKsk5anyoGY
838Yzcs0Y/d4aRGGpaIUe4HlncnHB/90KPl4Jc6M6gc
-> ssh-ed25519 uTVbSg yUxd7jAji+mUlayh3HAmtt15LT0qIijFdZfxm/QXJ1A
B03YY7feAxzquD55hkqdjfjp7F3UOgPws3CHz6vq5/E
-> s-grease
sVUB69ht3umxJ0/t3sgli+GG1jJYbRH3NAYRXxyjM7cD7kwimAwa0Cv8briHBncF
CXY
--- +656WjsF5wgufRPmpuHmh4BWdHsLLu2R0ZJ9Ryml35k
—»¢ à£mbjôò%ÞöǪµüƒÜò¯^S¸ÅÒ0„ðžË ¾Ðgu÷Z“UŸz¸ _˜²¶ÛGv„=³6Œ@ã’³Öâ¥ðÒ{0<>n

22
secrets/cube_restic_ssh_private_key.age Normal file
View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw +A6/Q0jkgCU8oT8UwEOXm+ilWBZSkPheytu+qWJ8ow0
kBztg+HTVR8tNJR9cws2wAfXf/p+SlDZ/HoXYyhSP5Q
-> ssh-ed25519 YFSOsg RlxOjmi/X/nXaN1pur/YkOeNMfaNjaeRlhuIy8Xg/C4
rXLCp5cOgqg97NlsIhNOtReLro3ELEfcfEFmeh5QmXg
-> ssh-rsa 42S2Dw
ivPg0J88URraGg/P1pYwPbHAPcLRxOEEGhIve858Wv0TJxyeSLFMEgyal6fKnxQN
bE+SuV9ZAWRx4LCmaxq35exfXJAclcC4zg+WOui3uojeWf6Yo/Q0OXGYhS5uHMHm
SJnIKoIKsdrD7g+0hoTKKztrjliK/zw8ooBPP8c6KGKncIhWGWfvS+eBzYkQp0VE
mMplI6YGTGtKavR7w5X9NG9rb5Ot0jdTuM+Q1URhtXbER1ZJWnEQMfdGeHEYKTXA
cJR08iiMY3J/XeYnv+I8B8FBCfWZurMDeH72t7TjObaZEBz/gKl6sk1+FuEBLQR0
r1Fqd9w06fgMcuVLLdFZQg
-> ssh-ed25519 iHV63A a27f4SrL8d4VTA/zf0ZFN+gRZEZYjfXxGRkK+0BvFBI
FPY1Vl6t1KMdmLMuhrF0NZptzrwGNyEgw+IHxvZkNT4
-> ssh-ed25519 uTVbSg cNe3wLmtGYd8E/mVT4nnGc9uKwVfKeLkPOA4iWH/n00
zUGfMmyqVA8+wH4U9e3aLCOyUn7JQbvd2hFViCGkAZs
-> ;y-K-grease 'D %/|`ff=t
EIllMsZQ7AqFv1F9F8SOleLU4Q1PKLJIdw7FL1fveIuPdnBPguvrcyw1kQeCzZ7M
F2LCYbb0cJUlJi1Mo+LxFEC4cCS0NI1hlMtbh5c4cxy7Ay/cpzCxhY9yVV8
--- fXi80THZW40z8KwPZUmXCYcp3zjgI/P0SyOGbI6SEOI
tã_öcO¿9¿<EFBFBD>ÀD:EŒ¯aCXûU¦Åãà×ì´ÐŘí-wØÄ<ÔÚÕâsFw¥{íclœ<6C>×ÙÍЮ?Zô¦{œ¥%þ1XÝh<C39D>‡çÖÚ`™>`)!ÔÏ9DO+bð<âþ9¨÷4\˜¸ËÒeæ5v<35>ö=kJ”%sðŽÏ|a#ÞºÎ!PIçZ°£•êGlªh:j©”ÅO¦`1dqÓ$0ýRFɦð.ݽwù˜]!¸¢<C2B8>Mnøo|ägPšÌ|רÒ^Ð"£2òÛÅhB…¬øiÑ«§Òá¨<18>!~f[zü¿;`ÑHpÅH F~–§ëýK<C3BD>ÁJRÖñT~5¬Ag†<67>v•œªR3öf©¼lÁD/7ÔY2ÚÍb<7F><E284A2>SáO­»=)¦8£(±ÅýÛF.ÁÑ+ì<$* 0×Ç<C387>@¬#R]]±¢Öš8Ç9?ñW·%¯Õñ중ë!ƒÝ,;Qåͺ¥£±®ØŠÝÙNÒ~ÿx¸±¥fM*?Úð˜ áå<C3A1>¾Èì'x½ÝÏpØCߪËU
<>ü_ N.éŽÈ

43
secrets/email_gssws_password.age
View file

@ -1,22 +1,25 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw 1+o3Kv3nXAiMEyY8GVW7ZMCILH/SToajDAYM0HR3/FU
YgmC4YvrNidF5sr3h2KtByL/ehS8RC2yEKQf8pkcruE
-> ssh-ed25519 YFSOsg Ju5LywricieLjgr6GeaXyN6RwrT2rf1ypjyvABtYkEE
TeZO7TBBIK58XTN5Bi9UdAde8vlEeIuiRnnYuTWV3Ds
-> ssh-ed25519 hPyiJw L1ibB8t4cvp/OXx9HQAxdEyI85z/1Lz5m4li6jA9Kz8
yBswoHr9wY7cw4Jd4bgaT0acbUz6SOXZ03UFmFtTUEM
-> ssh-ed25519 YFSOsg LLswQxf9SCn+iEDeLnSrYkVxfzayM8U2DBW974hpAxA
8lsCg3xMdgBthhuwqiFVx8pbz7uTLZ0RynIvczCYBhA
-> ssh-rsa 42S2Dw
YR3lIzLqv6FZlKHgPYc2uVo8kiuEStoP+wZqMsNJwlpT9VIUn2n7V3Pj7gsRUtN7
dYjVEnXCXOYJiT1cKitbsQ/uvO7pDh7Ol4cve4yCt5OTXqux4MsZRBTvBXmbom7v
BZCOruqKIViWChXLo6s1vhJ2Rv3LzY12h1IGlDrVqyTHAxUga7aQmKnFzICwsb2M
6A7JDryveWA3AWntHOgw6G/OzL6TlZxa51w6UAW3z+cckEttmwfLaaOhT2xuhAvJ
3SH856B5Xtx7qWyooN7Cq2XQAlZ3DKJVmjIJvI1y9DdpZlO29kXZXI6FZJb6ZJMM
c0GntItUK2VXGwR+a+PIDg
-> ssh-ed25519 iHV63A 68iPatktmiT9enmwFBH0O2KS7Iu5ZR3vEdrD6OKTwyg
IyRwEOu+/ThnqIG42fYxr65rpniPqvS5HYNP3xQgYfU
-> ssh-ed25519 VApqug rYWmUWJxn6FnnZGopYUzrTcbTBsr+zHuhrSisHl6LXM
7XANpzZrrZlsPILu0UhNh3s1UoUwhGXVUhhmMfZuBqw
-> -.bX&'x-grease mStW!.EH *+Q`QW/
0jNHMBJOkpVUD7xoEr7ymD2f3kCEIU0SZkPJ8wJfxYSg4F/4Pwc19+tHChEjOHCC
svyV
--- rCetdRQgIw8CPjfsojxST3lEYYbxGMRhBi9rBfIpQx0
÷
ƒS!À>¤8çþÁ] §'ÚiÚ Ë÷áª[˜cw¯<1B>ó†a îõ1·öÊÄ€™'¬SË¡“
NgKNMMnaozW4qWvXhK5AKSJkXffIKtTKBla28z7ruFv53mGqRwRKYATB2mFDiVH4
PgDHv6+M5UBqbFEN48bzngnrugWjWXRDoXJifsfMeWXDCbd0z/X2JPul3PCi0jpB
Pgzcl5kuM4BxRDIkn/F9uc7y5ybGn9LUpbRWrWDdz8t5Vc4xYLY2UnhGkK5Oi1Cq
H8Dgv4N6oTWerzeXyRiir6PbhMFHBbMconi6rU0u4/ZFyllLHJG3ocxAMFiKknlx
6obLiszq1Jdb/N/1Wi6SN3wSu/RiVHEabgb08kzUf6t3DSIsqeh/3rUV0IdjF/mp
T5XXzUIhZyadH+Ddxrl75A
-> ssh-ed25519 iHV63A ddkExJKu/Jys/9jiSUOg2ZKGKYIf+Y7G9QASxCZdOW4
y/XOHNRaJjvKw5RZw1oUCP7nPY7t+ZMbTNxIStVCfRI
-> ssh-ed25519 VApqug Uf71meztk0oZUJHjJ8Sdth4QdfaDWzv2wAsj6f1lt0E
vtkLmvXGgK+lnPI+RS3JRZH71TBjfkozAK5dW3a3uoo
-> ssh-ed25519 NhniTw vvLxotjVSTvf9KKJn9lZ08DgKonQbI8C+jTTET7h3WI
b8QFEGpS2Ll4EbxCK6xfCHLB5DMT4+kOASz6STtuDEw
-> ssh-ed25519 f35zxg B2hFbT3p201jS5YC6E7kHlo0O0sSQsZkMjj3c36KHAY
PnVcMx0G2gWMtFn6LFhGDZ/+1d1mtdsAzsL+JuBr6bE
-> r\{-grease
Y8zuemoJ8F+VQAQBf9EdPMj2BvfODuc2rY4RxnTxSCNlm5fQu+nzUpr2cxXYdRZc
miiCinz2+S5kJph9WwKbpC7RNyuegok1ww
--- YcYQRF4M9Gik+v1Txho8noV9bt3hBmsCDiNABOC4qFg
/½Èädæs,ƒºÂ87¿ë²»ÃOÌᛓ€æKî`0 nØøJ_, P³Ô#1b ·b#

13
secrets/secrets.nix
View file

@ -15,6 +15,13 @@ let
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos";
system_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFePAtdXP/4J0UdChfRC78Tj/yBZaUNTNnbwXe9HJx6 root@nixos";
system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos";
users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
systems_email_accounts = [ system_harrison system_norman system_surfplace ];
systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
allKeys = users ++ systems_home_controller;
in
@ -26,6 +33,12 @@ in
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
"cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ];
"cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ];
"cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ];
"cube_invoiceplane_db_password.age".publicKeys = users ++ [ system_cube ];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];